List of most recent nn files in folder (names and mod dates)

Content Authoring
1

I’m trying to retrieve a list of all of files starting with name abcdef within a specific (log) folder.

In this case, I’d like to retrieve, as an example, the 10 most recent files (need to be able to vary that to potentially 15 or so file names) with the modification dates/times for those files. Basically I’ve gotta be able to review the logs from systems and confirm that they’ve generated logs over the last 2 weeks (10 days should cover the last couple of weekends as an example)

I’ve tried using the following and or variants of this relevance, but am not getting back results:

( names of files of it, modification times of it ) whose ( name of it as lowercase starts with "clamscan" of it ) of items 15 of folder "/var/log/clamav"

(that one would be looking for the most recent 15 names… if I got the relevance right)

1 Like
2

Got it, analysis now pulling me back more than a few things to review from systems… (with huge thanks to @jgstew for his examples, along with others that have also posted examples here).

I’m getting the following:

Most Recent ClamAV scan log - using following relevance:

( name of it, modification time of it ) of items 1 of ( maximum of modification times of files whose ( name of it as lowercase starts with "clamscan" ) of it, files whose ( name of it as lowercase starts with "clamscan" of it ) of it ) whose ( item 0 of it = modification time of item 1 of it ) of folder "/var/log/clamav"

Most recent Freshclam log - using following relevance: (very similar to the previous)

( name of it, modification time of it ) of items 1 of ( maximum of modification times of files whose ( name of it as lowercase starts with "freshclam" ) of it, files whose ( name of it as lowercase starts with "freshclam" of it ) of it ) whose ( item 0 of it = modification time of item 1 of it ) of folder "/var/log/clamav"

Most recent file in the log folder: (in case the system isn’t using the expected configuration for ClamAV and is producing a different log file name)

( name of it, modification time of it ) of items 1 of ( maximum of modification times of files whose ( name of it as lowercase ends with ".log" ) of it, files whose ( name of it as lowercase ends with ".log" of it ) of it ) whose ( item 0 of it = modification time of item 1 of it ) of folder "/var/log/clamav"

Name and date of oldest ClamScan log:

( name of it, modification time of it ) of items 1 of ( minimum of modification times of files whose ( name of it as lowercase starts with "clamscan" ) of it, files whose ( name of it as lowercase starts with "clamscan" of it ) of it ) whose ( item 0 of it = modification time of item 1 of it ) of folder "/var/log/clamav" /* ( name of file of it, modification time of it ) of find file "clamscan*.log" of folder "/var/log/clamav" */

And the one that I was stumbling on for above… (clearly not understanding what the sample was trying to show me, as I was actually trying to use the sample above to pull back say the last 15 log file names and dates vs. pulling back all of them) - All ClamScan logs in the log folder:

(name of it, modification time of it) of files whose (name of it as lowercase starts with "clamscan" of it) of folder "/var/log/clamav"

(I am still interested in limiting the results to say the last 15 entries and not “all” of the logs, but for now the "all of the log file names works to covers my needs – satisfying requirements to audit the systems and confirm that ClamAV has been running and performing the expected scans)

1 Like
3 
number of files whose (name of it as lowercase starts with "clamscan" of it AND (modification time of it > (now - 15 * day)) ) of folder "/var/log/clamav"

Should be >= 14 unless the AV is freshly installed, assuming there is 1 log per day with at least 14 logs retention.

You could consider a system compliant if the number of logs within the past 15 days is within 1 of the number of days since the OS was installed or 14+ since otherwise new installs would fail this check.

Related: https://www.bigfix.me/relevance/details/2998835

4

Thanks again for the help @jgstew, much appreciated and look forward to giving that one a try shortly. That should do what I would need very nicely (and is easy enough to figure out how to modify if we want to go back any further).

1 Like